Getting Things Done: The Secret Sauce for the CISO
The key around cyber security remains: Execution, Execution and Execution.
The short tenure of the CISO continues to generate a vast amount of debate, aggravated by the COVID pandemic and the “great resignation” episode that it is inducing.
Looking beyond its reasons, the short tenure of the CISO raises another question: What do you actually achieve in 2 or 3 years in a complex and transversal field such as cyber security, and in particular in large firms?
One of my readers pointed out that some CISOs work precisely on those patterns because they are hired to put in place specific compliance alignment programmes, and they leave when the job is done, which typically involves those 2 to 3 years timeframes.
But what happens next? What guarantees can the business have that the next CISO will follow in the footsteps of the previous one? There are many ways to interpret and execute compliance requirements, and no doubt every cyber security professional has specific areas of expertise and particular pet subjects; it is not easy to step in and execute a programme of work designed by someone else.
Because in my view, the key around cyber security remains: Execution, Execution and Execution.
Knowing what to do is reasonably well established and cyber security good practice – at large – still protects from most threats, and still ensures a degree of compliance with most regulations.
Putting it in place, in real life, across the depth and breadth of the modern enterprise, is exactly where large firms have failed over the past 20 years, in spite of colossal investments in that space with tech vendors and large consultancies.
Large organisations morph constantly, either through mergers or organic expansion or their digital transformation (not mentioning major disruptive global events such as the 2008-2009 financial crisis or the COVID pandemic); business priorities and the perception of risk by the business shift accordingly, and they mechanically follow business cycles – which may be long or short – and the visibility those business cycles can afford to business leaders at any given time. Those dynamics are unavoidable.
But cyber security works on different patterns, in particular where maturity is low and real change is required to face escalating threats.
Very often, past execution failure in that space has left scars with senior execs. Some would have seen several generations of CISOs coming in with a grandiose transformative plan asking for millions, before disappearing after a few years, having achieved very little in practice in terms of real change.
The secret sauce for new CISOs will be in demonstrating that they can get things done over the right timeframes by manoeuvring around the political maze of large organisations and understanding how they really operate.
This is rarely about buying more tech, but more about understanding where the roadblocks are which have prevented progress in the past, how they link with the business culture of the firm and working out ways to remove or circumnavigate them.
It requires real life managerial experience, personal gravitas and political acumen, more than raw technical skills, because the CISO will not deliver change on their own – and cannot be expected to.
They will do it by leading a team of experts, influencing change and driving the execution of protective measures across the organisation and its supply chain.
More than ever, the key issue for the transformational CISO is time: It takes “the time it takes” to build the right team and drive the long-term dynamics of change around cyber security practices, across a more and more complex business environment also changing all the time, possibly on different cycles.
As well as business cycles, CISOs must be realistic around the perspective they give themselves to achieve change in order to place their role on the right trajectory over the mid to long-term; they must also be allowed and incentivised by their business to do so.
This is much harder than it might have been 10 or 15 years ago when the enterprise was more self-contained, and to keep a bond of trust with senior stakeholders, they must focus all the time on getting things done; not just over the short term, as inevitably tactical initiatives and firefighting requirements will emerge, but also strategically over the mid to long-term as part of a structured and coherent vision for the protection of the business endorsed by all from the Board down.